Proposed Regulations under Virginia's Insurance Data Security Act

Cybersecurity & Technology

We recently provided an overview of Virginia's new Insurance Data Security Act (the "Act").  Now, as required under the Act, Virginia's Bureau of Insurance has proposed regulations (the "Proposed Regs") implementing the Act.  One of the primary effects of the Proposed Regs is to distinguish between smaller licensees and the rest of the pack for purposes of specifying requirements and timing around risk assessments and information security program security measures.  Under the Proposed Regs, licensees with more than 10 employees and authorized persons are referred to as "level one" licensees, and those 10 or fewer employees and authorized persons are referred to as "level two" licensees.

For risk assessments and implementation of security measures, the Proposed Regs point level one licensees to certain NIST publications and require that they consider cybersecurity risks in their enterprise risk management processes.  For level two licenses, rather than point to NIST publications, the Proposed Regs set out specific elements and safeguards that must be addressed in risk assessments and implementation of security measures.  Significantly, the Proposed Regs set different effective dates for compliance with these provisions for level one and level two licensees.  The effective date for level one licensees is set for one year from the effective date of the Proposed Regs, while the effective date for level two licensees is set for July 1, 2022.

The Proposed Regs also provide procedures for reporting cybersecurity events to the Bureau generally, as well as options for domestic insurance companies to report certain additional details on an annual basis for cybersecurity events that do not involve access to nonpublic information (those options do not apply to domestic producers, however).

Finally, the Proposed Regs establish a notification procedure that appears to be intended to give the Bureau an opportunity to review and overrule a licensee's determination that notice to consumers is not required under the Act because there is no reasonable likelihood of identity theft or fraud.  After reviewing a licensee's basis for any such determination, the Bureau may determine that the requisite likelihood of harm does exist, and then require the licensee to notify consumers in accordance with the notification procedures in the Act.

The deadline for submitting comments or requesting a hearing in connection with the Proposed Regs is October 26, 2020.

The lawyers in Sands Anderson’s Cybersecurity and Technology Team help clients understand the threats and risks to their systems and data, and advise them concerning steps they should take to meet their legal data security obligations and improve their overall cybersecurity posture. Please contact any member of our team if you have questions about data security compliance, data privacy, data breach response, data strategy or technology contracts and licensing.

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek